Bitrix Web Antivirus: Your Personal Intranet Security
The PRO+PRO System now includes a new proactive protection element - the Web Antivirus, beta version. The Web Antivirus makes it safer to run and manage web projects developed using Bitrix Site Manager or Bitrix Intranet Portal. It allows Bitrix web applications to take action against any web threats seven times faster than most of other existing content management system.
- An elaborate web antivirus system;
- Shields websites against harmful HTML-implants;
- Detects 90% of potential infection threats;
- Notifies administrator upon location of dangerous code;
- Detects and reports on incoherence of code elements;
- Includes a "white list" to reduce false positive alerts.
||The Bitrix Web Antivirus cannot replace any standard antivirus programs installed on your computer. We recommend that you use the Bitrix Web Antivirus along with your regular antivirus program.
Web Antivirus as part of PRO+PRO System
The PRO+PRO module main purpose is to repulse any hacker attacks, system intrusion and even prevent any direct or hidden threats that are widely spread throughout the Internet.
The Proactive filter (Web Application FireWall), One Time Password Technology, Intrusion Log, Script Integrity Control, Stop Lists and other components that belong to the PRO+PRO System have always offered the highest standard of web security to our users. The newly added Web Antivirus adds more safety features to the PRO+PRO System that now can seal the otherwise invisible trapdoors inside your web project. No more harmful implants and intruders inside your website's code!
According to the Bitrix HelpDesk and Technical Support Department report, most cases where web project integrity is compromised involve infection of websites by malicious codes, as shown in a sample scenario, below:
Bitrix Web Antivirus as supplementary protection
Of course, the Bitrix Web Antivirus is not omnipotent. It cannot monitor or filter your FTP traffic in order to prevent a Trojan virus from intruding into your website. That is why we strongly recommend that you use an antivirus program that will monitor all processes run on your computer. However, the Web Antivirus is a great enhancement of your security: it can screen your HTML code and detect any redundant, suspicious, and harmful elements and inform you before anything bad happens to your website.
The Bitrix Web Antivirus is not designed to replace standard antivirus programs installed on your computer. It cannot monitor or filter your FTP traffic and prevent a Trojan virus from intruding into your website, or screen any of the documents contained on the web server or local computer, and it cannot detect any virus-infected .pdf, .doc or flash files.
However, it can screen your HTML code and detect any redundant, suspicious, and harmful elements, alert you, or even remove the irregular code segments automatically. The Bitrix Web Antivirus also detects suspicious download links (these are not covered by regular antivirus programs). Compared to other antivirus protection systems, the Bitrix Web Antivirus uses less strict virus signatures and does not display the virus names. Importantly, there is a "white list" that helps the program avoid false alerts and differentiate between bad code segments and the good ones.
We recommend that you use the Bitrix Web Antivirus in addition to your regular antivirus program to enhance the security level of your web projects. Combined with safety features provided by a locally installed antivirus program, the Bitrix Web Antivirus greatly enhances the security level of your web projects.
Different protection modes
If a dangerous HTML-code is found, the Bitrix Web Antivirus shall perform a set of operations depending on the mode you set:
- By default, the Bitrix Web Antivirus alerts the website administrator but does not modify any of the suspicious elements inside the code;
- The automatic mode lets the Bitrix Web Antivirus cut out (quarantine) all potentially dangerous code elements without confirmation from the administrator, report issues to the website administrator and wait for the website administrator's further action (this mode is not yet available in the current beta version).
||The Bitrix Web Antivirus is now available only in beta version. It does not block any viruses but only reports any suspicious activity on the website and alerts about possible dangerous elements inside the HTML-code. The website administrator makes the final decision whether to delete the suspicious area or not.
HTML-code analysis approach
The Possible Threat Level mechanism used by the Bitrix Web Antivirus is based on simple "weight" rules:
- Code blocks are disassembled into separate elements and then screened according to special rules. The rules are clustered into rule groups, and it's enough to match with one single rule out of many inside a group to trigger suspicious element alert. If more than one rule is matched, the rule that is greater in "weight" will be used as the argument for the suspicious element alert issued.
- Certain rules can have a negative "weight'" value, meaning that they contribute to the safeness of the block. After the final calculation of all values is done, each block will then be rated with a positive value, a negative value or a value that equals zero. The greater the positive value is, the more likely that the block contains irregular and dangerous code elements.
- The "weights" of all applying rules combine the Possible Threat Level rating of the screened block. If the Possible Threat Level rating of the block is greater than a given value (pre-defined), the code block will be considered suspicious.
Bitrix Web Antivirus statistics
For initial testing, we used over 30 different viruses and more than 140 legitimate scripts and frames. The web Antivirus prototype showed highly satisfactory results:
- 100% of all potentially dangerous elements (all 30 viruses) were detected;
- 2-3% rate of false positives alerts.
As you can see, the Bitrix Web Antivirus was 100% effective against real threats; however, this was just a test, and the number of existing viruses is significantly more than 30. But the Web Antivirus is improved and enhanced with every new update. Also, false alerts will appear less and less often because the rules used by the Bitrix Antivirus Mechanism are modified and extended with each false positive instance. The Bitrix Web Antivirus is regularly updated through the SiteUpdate System, as are the other components of the PRO+PRO System.
Bitrix Web Antivirus testing
The Bitrix Web Antivirus can be installed along with the latest Bitrix product update. The Bitrix Web Antivirus will be available as part of the PRO+PRO (Proactive Protection) inside the Security Panel offering the basic security level. You can test the Bitrix Web Antivirus, leave it enabled or switch it off any time later.
After the beta version of Bitrix Web Antivirus becomes a standard tool of PRO+PRO System, it will have two modes available:
- By default, the Bitrix Web Antivirus alerts the website administrator but does not modify any of the suspicious elements inside the code;
- The automatic mode lets the Bitrix Web Antivirus automatically cut out (quarantine) all potentially dangerous code elements and report the issues to the website administrator and wait for the website administrator's further action (will be available with the official release).
Your Bitrix Web Project Safety Features
Proactive filter (Web Application FireWall)
The Web Application Firewall
protects the system from most known web attacks. The filter recognizes dangerous threats in incoming requests and blocks intrusions. Proactive Filter is the most effective way to guard against possible security defects in a web project implementation (XSS, SQL Injection, PHP Including etc.). The filter fully analyzes all data received from visitors in variables and cookies.
* Note that some harmless actions which a visitor may perform can be considered suspicious and cause the filter to react.
- protects from most known web attacks;
- screens a web application from the most persistent attacks;
- filter exclusion list (with wildcards);
- recognizes most dangerous threats;
- blocks site intrusions;
- protects from possible security errors;
- keeps an attack log;
- informs administrator about intrusions;
- configurable options for firewall reaction to intrusion attempts:
- make data safe;
- delete unsafe data;
- temporarily add the attacker’s IP address to the stop list.
- latest updates.
Control panel to set protection level
Any website based on Bitrix Site Manager is preconfigured with the basic protection level. However, you can improve the site security significantly by selecting one of the Proactive Protection module presets: standard, high or highest. The system will show you tips about any parameter you may need to configure.
- basic level – assigned to all web projects running without the Proactive Protection module;
- standard level – enables the most common proactive protection features:
- the proactive filter (site wide);
- weekly intrusion log;
- activity control;
- high security level for administrators;
- CAPTCHA protected registration procedure;
- error logging (errors only).
- high level is the recommended security level which can be applied to any projects conforming the standard level requirements. This level adds the following features:
- Kernel module event logging;
- Control Panel protection;
- storing sessions in the database;
- change of session identifier.
- highest level includes special protection tools essential for sites keeping confidential user information (web shops etc.). This level is empowered with the following functions:
- one time passwords;
- control script integrity verification.
The intrusion log registers all events occurring in the system including uncommon, suspicious and malicious events. The log is updated in real time so you can view the events as soon as they have been registered. This feature enables you to discover attacks and intrusion attempts while they occur, so you can riposte immediately and even prevent attacks.
- immediately registers all system events;
- logs attacks detected by the proactive filter:
- SQL injection;
- XSS attack;
- PHP including.
- filter for malicious events;
- view and analyze events in real time to prevent attacks in future;
- immediate reaction to malicious events.
The Proactive Protection module supports one-time passwords for any site users.
These passwords are especially recommended to be used by the site administrators since they significantly improve security of the “Administrators” user group.
The concept of one-time passwords empowers the standard authorization scheme and significantly reinforces the web project security. The one-time password system requires a physical hardware token (device) (e.g., Aladdin eToken PASS) or special OTP software.
This technology gives you confidence that only a user to whom a token has been issued can authorize on the site. Password theft or interception is absolutely excluded because a password can be used only once. A token is a hardware device that generates a unique password only when a token button is clicked. Effectively, this means that a token owner is unable to tell the password to third party to allow them authorize as well.
- empowers web project security;
- hardware tokens;
- software OTP;
- extended OTP authentication: a user must append a one-time password to their normal password;
- authorization using a login and a compound password;
- uses two consecutive OTP passwords generated by a token;
- synchronizes the token and server generator counters whenever synchronization is lost.
File integrity control
File integrity control helps an administrator reveal maliciously or mistakenly modified system files. You can check the integrity of the system kernel and other system or public files files any time.
- tracks file system changes;
- verifies kernel integrity;
- verifies system area integrity;
- verifies integrity of public files.
Verification of the file integrity control script
Before checking the system integrity, the file integrity control script has to be verified for possible changes. When running the script for the first time, enter a desired password containing at least 10 characters (letters and digits), and any keyword (other than the password), and click “Set New Key”.
| The system then: |
- verifies the file integrity control script for changes;
- protects the script using the keyword and password pair.
Control Panel protection
This type of protection strictly regulates secure networks from which the users are allowed to access Control Panel. All you need to do is specify the legal IP addresses (or a range). No need to worry about not adding yourself to this list: the system will check your IP automatically.
What effect will this protection produce? Any XSS/CSS attacks become ineffective, and interception of authorization data becomes absolute useless.
- restricts access to Control Panel from any IP’s except those on the white list;
- recognizes the user’s IP address automatically;
- a user can manually supply the allowed IP addresses and the address ranges.
Most web attacks are intended to steal an authorized user’s session data. Enabling the session protection makes session hijacking impossible. Furthermore, concerning an administrator’s authorized session, use of session protection is one of the most effective and necessary security measures.
In addition to the conventional session protection options that are available in the user group parameters, the session protection mechanism includes some special, even unique, features.
Storing session data in the module database prevents data from being stolen by running scripts of other projects on the same server. This approach excludes virtual hosting configuration errors, bad temporary folder permission settings, and other operating system-related errors. Additionally, it reduces file system stress by loading the database server with these operations.
- various protection methods:
- limited session lifetime (minutes);
- recurring session ID relay;
- network mask to associate a session with a specific IP;
- storing session data in the module database.
- eliminates virtual hosting and OS configuration errors;
- eliminates bad temporary folder permission settings;
- reduces file system stress;
- makes session ID hijacking impossible.
Activity Control lets you protect the system from profusely active visitors, obtrusive bots, some DDoS attacks, and password brute force attacks on passwords. You can also set the maximum allowed activity for your site (e.g. number of requests per second a user can perform).
User activity control is built around the Web Analytics module's mechanisms and requires this module to be installed.
- protects from profusely active users;
- protects from bots and DDoS attacks;
- prevents brute force attacks on passwords;
- allows setting of a maximum possible visitor (human) activity quota;
- registers activity quota violations as events in the intrusion log;
- blocks visitors exceeding the activity quota;
- shows a special information page to a blocked visitor.
The stop list contains parameters used to restrict access to a site and possibly redirect to a specified page. Any visitor matching the stop list criteria (e.g. an IP address), will be blocked.
- redirects visitors matching the stop list entries;
- blocks visitors by their IP addresses;
- stop list entry management;
- collects statistics on visitors matching the stop list criteria;
- allows specification of the ban duration for users, IP addresses, network masks, UserAgent’s and referrer links;
- shows a customizable message to a blocked visitor.
- is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Two methods exist to prevent redirect phishing:
- Detect malicious redirects by the lack of a referring page in the HTTP header
- Sign links with a digital signature and verify it upon a redirect attempt
The following can be used as protection:
- Show a redirection warning to a visitor
- Unconditionally redirect visitors to site known to be safe
Recommended for the high security level.
Bitrix carries out constant auditing and testing of the system protection mechanisms
. In order to make these tests unbiased and objective, Bitrix recruits third-party specialist companies for unbiased auditing in addition to tests performed internally by the Bitrix team. The certificates obtained from security audit companies confirm the quality of the protection mechanisms and ensure their conformity to information security requirements.
"Protected Web Application"
This certificate is issued by Positive Technologies which has performed an audit of the new security features in Bitrix Site Manager. The built-in security features fully meet the requirements of the Web Application Firewall Evaluation Criteria as established by the Web Application Security Consortium.
(Bitrix Site Manager 8)
The built-in quality of the Bitrix Site Manager protection mechanisms give users confidence not only in the system kernel reliability, but also in any solution developed on this platform including add-ons and modifications done by the authorized Bitrix partners.